Move sanitizing to marked, add rel="nofollow" to links.

src/renderers/index.ts

@@ -28,6 +28,24 @@ import {
   typeset, removeMath, replaceMath
 } from './latex';
 
+class MarkedRenderer extends marked.Renderer {
+  link(href: string, title: string, text: string): string {
+    let output = super.link(href, title, text);
+    if (!output) {
+      return output;
+    }
+    if (0 === href.indexOf('//') || href.indexOf(':') > -1) {
+      return output.replace('href=', 'rel="nofollow" href=');
+    }
+    return output;
+  }
+}
+
+marked.setOptions({
+  renderer: new MarkedRenderer(),
+  sanitize: true
+});
+
 
 /**
  * A widget for displaying HTML and rendering math.
@@ -205,7 +223,6 @@ class MarkdownRenderer implements IRenderer<Widget> {
   render(mimetype: string, text: string): Widget {
     let data = removeMath(text);
     let html = marked(data['text']);
-    let sanitized = sanitize(replaceMath(html, data['math']));
-    return new HTMLWidget(sanitized);
+    return new HTMLWidget(replaceMath(html, data['math']));
   }
 }

typings/marked/marked.d.ts

@@ -1,8 +1,7 @@
 // Type definitions for Marked
 // Project: https://github.com/chjj/marked
 // Definitions by: William Orr <https://github.com/worr>
-// Definitions: https://github.com/borisyankov/DefinitelyTyped
-
+// Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
 
 interface MarkedStatic {
     /**
@@ -59,7 +58,44 @@ interface MarkedStatic {
      *
      * @param options Hash of options
      */
-    setOptions(options: MarkedOptions): void;
+    setOptions(options: MarkedOptions): MarkedStatic;
+
+    Renderer: {
+        new(): MarkedRenderer;
+    }
+
+    Parser: {
+        new(options: MarkedOptions): MarkedParser;
+    }
+}
+
+interface MarkedRenderer {
+    code(code: string, language: string): string;
+    blockquote(quote: string): string;
+    html(html: string): string;
+    heading(text: string, level: number, raw: string): string;
+    hr(): string;
+    list(body: string, ordered: boolean): string;
+    listitem(text: string): string;
+    paragraph(text: string): string;
+    table(header: string, body: string): string;
+    tablerow(content: string): string;
+    tablecell(content: string, flags: {
+        header: boolean,
+        align: string
+    }): string;
+    strong(text: string): string;
+    em(text: string): string;
+    codespan(code: string): string;
+    br(): string;
+    del(text: string): string;
+    link(href: string, title: string, text: string): string;
+    image(href: string, title: string, text: string): string;
+    text(text: string): string;
+}
+
+interface MarkedParser {
+    parse(source: any[]): string
 }
 
 interface MarkedOptions {
@@ -68,7 +104,7 @@ interface MarkedOptions {
      *
      * An object containing functions to render tokens to HTML.
      */
-    renderer?: Object; 
+    renderer?: MarkedRenderer;
 
     /**
      * Enable GitHub flavored markdown.